Updated Browsers Still Vulnerable to Attack if Plugins Are Outdated

Roughly half of Web users are using Web browsers that are vulnerable to known security flaws, said Wolfgang Kandek, CTO of Qualys. The company collected browser data from over a million "typical end-user computers" and found that more than half of the tested machines had critical vulnerabilities that would allow attackers to take remote control of the system, search the disk drive for valuable data, monitor all keystrokes, and intercept private information, Kandek said.

This site may earn affiliate commissions from the links on this page. Terms of use.

Psst. Is your browser up-to-date? You may think you are safe because you update the Web browser regularly, but chances are you are still surfing the Web with highly vulnerable software.

Roughly half of Web users are using Web browsers that are vulnerable to known security flaws, said Wolfgang Kandek, CTO of Qualys. The company collected browser data from over a million "typical end-user computers" and found that more than half of the tested machines had critical vulnerabilities that would allow attackers to take remote control of the system, search the disk drive for valuable data, monitor all keystrokes, and intercept private information, Kandek said.

Security experts regularly remind users to update Web browsers as soon as new patches are available. Attackers are more likely to target vulnerabilities that should have been patched a year or two ago, rather than bothering with zero-days. Several popular exploit kits, such as BlackHole, are still successfully targeting vulnerabilities which users should have already closed. For example, a remote execution flaw Oracle patched in Java just last month is still under attack by BlackHole.

"Users of all major browsers have the same problem: They are using outdated software that contains known vulnerabilities," Kandek said.

While the extent of the problem varies across browsers, it is still pervasive. Even Apple Safari, which Kandek called the "best browser," has over 35 percent of its users at risk, Kandek said.

Why Am I Open to Attack?Kandek is not suggesting that browser makers aren't closing the flaws. In fact, he noted that rolling out automatic update mechanisms for the major browsers have "improved the situation tremendously" as users no longer had to remember to update the software. He acknowledged that it often is not the browser's fault the vulnerabilities are left open, but rather the plugins.

Plugins give the browser additional capabilities, such as running applications, watching video, listening to music, and playing games. They are also frequently the target of attacks. Qualys found that 82 percent of the machines it tested had Java installed, and over a third were running out of date versions. Adobe Flash was the second most popular plugin, installed on over 67 percent of the machines tested, with about a quarter running vulnerable versions.

"We have to blame the installed plug-ins that contain flaws and remain unpatched," Kandek said.

Update All Installed Browsers, PluginsKaspersky Lab researchers found similar numbers in this month's "Global Web Browser Usage and Security Trends" report. While nearly 80 percent of users in the Kaspersky Security Network had the latest version of a browser, the researchers acknowledged the possibility that "quite a lot of users" had their default browser up-to-date, but also had outdated versions of other browsers also installed on the same machine, "keeping a security hole open for attacks."

About 17 percent of users were using older browsers, which were not the latest version but still being patched regularly, and 8.5 percent had "obsolete" versions, according to Kaspersky Lab. While that may not sound like a lot, that number "represents millions of users," the report said. Not upgrading browsers means those users are also less likely to update plugins such as Adobe Flash or Java, Kaspersky Lab found.

What To Do Next?"All of these vulnerabilities can be eliminated by updating to the latest versions of the software installed, both for browsers and plug-ins," Kandek recommended.

Users need to update their browsers and all the plugins and browser extensions on a regular basis.

"It is always not the best time to close all apps, save all documents and wait a while until the updates are installed. But it has to be done," Kaspersky Lab said in the report.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »